Finding evidence of wordlists being deployed against SSH honeypots – Implications and impacts

Document Type

Conference Proceeding

Publisher

Edith Cowan University

Faculty

Faculty of Health, Engineering and Science

School

ECU Security Research Institute

RAS ID

18749

Comments

Originally published in the Proceedings of the 12th Australian Digital Forensics Conference. Held on the 1-3 December, 2014 at Edith Cowan University, Joondalup Campus, Perth, Western Australia.Available here

Abstract

This paper is an investigation focusing on activities detected by three SSH honeypots that utilise Kippo honeypot software. The honeypots were located on the same /24 IPv4 network and configured as identically as possible. The honeypots used the same base software and hardware configurations. The data from the honeypots were collected during the period 17th July 2012 and 26th November 2013, a total of 497 active day periods. The analysis in this paper focuses on the techniques used to attempt to gain access to these systems by attacking entities. Although all three honeypots are have the same configuration settings and are located on the same IPv4 /24 subnet work space, there is a variation between the numbers of activities recorded on each honeypots. Automated password guessing using wordlists is one technique employed by cyber criminals in attempts to gain access to devices on the Internet. The research suggests there is wide use of automated password tools and wordlists in attempts to gain access to the SSH honeypots, there are also a wide range of account types being probed.

DOI

10.4225/75/57b3e7d5fb882

Access Rights

free_to_read

Share

 
COinS